diff --git a/bibtexbrowser.php b/bibtexbrowser.php
index edf2475..2dddb8c 100755
--- a/bibtexbrowser.php
+++ b/bibtexbrowser.php
@@ -238,15 +238,16 @@ function _zetDB($bibtex_filenames) {
// ---------------------------- HANDLING unexistent files
foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) {
- $saveBib = htmlEntities($bib, ENT_QUOTES);
+ // escape $bib to prevent XSS
+ $escapedBib = htmlEntities($bib, ENT_QUOTES);
// get file extension to only allow .bib files
- $ext = pathinfo($saveBib, PATHINFO_EXTENSION);
+ $ext = pathinfo($escapedBib, PATHINFO_EXTENSION);
// this is a security protection
- if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($saveBib) || strcasecmp($ext, 'bib') != 0)) {
+ if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($escapedBib) || strcasecmp($ext, 'bib') != 0)) {
// to automate dectection of faulty links with tools such as webcheck
header('HTTP/1.1 404 Not found');
- die('the bib file '.$saveBib.' does not exist !');
+ die('the bib file '.$escapedBib.' does not exist !');
}
} // end for each